Check that the directory does not exist.

Otherwise, it could allows local users to obtain sensitive information or overwrite arbitrary files via a symlink attack on temporary directories with predictable names. Reported as CVE-2014-2893 ( https://security-tracker.debian.org/tracker/CVE-2014-2893 ) Found by Jakub Wilk llvm-svn: 211051
2014-06-16 20:31:15 +00:00 · 2014-06-16 20:31:15 +00:00 · c7bc52596f
parent 675d279af4
commit c7bc52596f
1 changed files with 6 additions and 0 deletions
--- a/clang/tools/scan-build/scan-build
+++ b/clang/tools/scan-build/scan-build
@ -206,6 +206,12 @@ sub GetHTMLRunDir {
  else {
    $NewDir = "$Dir/$DateString-$RunNumber";
  }
+
+  # Make sure that the directory does not exist in order to avoid hijack.
+  if (-d $NewDir) {
+      DieDiag("The directory '$NewDir' already exists.\n");
+  }
+
  mkpath($NewDir);
  return $NewDir;
 }